# Clerk Blog — Page 11 # Next.js 13 Routes Part 2: Implementing Protected Routes URL: https://clerk.com/blog/next13-api-routes-2.md Date: 2023-01-25 Category: Guides Description: Learn how to create protected routes using React Context as well as how using Clerk makes this process easier. In part one of this series, you learned about Next.js API routes and how to protect API routes with JWT authentication. In this part, you'll learn how to create protected routes using React Context as well as how using [Clerk](/) makes this process easier. ## Exploring the Starter App To get started, a starter app already has been made that you can clone from [GitHub](https://github.com/heraldofsolace/NextJS-protected-routes-demo): ```bash git clone https://github.com/heraldofsolace/NextJS-protected-routes-demo.git cd NextJS-protected-routes-demo yarn install yarn dev ``` The app will start running at `localhost:3000`. The posts page can be found at `http://localhost:3000/posts`, which shows a list of all the posts. ![List of all posts](./d2kASE5.png) This page has a companion API route that returns all the posts in JSON: ```bash $ curl "http://localhost:3000/api/posts" [{"id":1,"userId":1,"text":"Hello, World!"},{"id":2,"userId":2,"text":"Hello, NextJS"},{"id":3,"userId":1,"text":"Lorem ipsum dolor sit amet. "},{"id":4,"userId":3,"text":"Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur ut rhoncus neque. Sed lacinia magna a mi tincidunt, ac interdum."}] ``` The data for posts is stored in **data.js**. The `/api/auth/login` route implements JWT authentication and returns a JWT when the correct username and password combination is supplied: ```bash $ curl -X POST "http://localhost:3000/api/auth/login" -d '{"username": "john", "password": "password"}' -H 'Content-Type: application/json' {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjMsImxvY2F0aW9uIjoiRnJhbmNlIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE2Njk0NDUzMDQsImV4cCI6MTY2OTUzMTcwNH0.mlShbJr6xG8TIOyY6B2gD0c-leoyw1T3Sr5EncTgl00"} ``` Finally, the `/api/users/me` route returns the currently authenticated user, provided a valid JWT is passed in the header: ```bash $ curl http://localhost:3000/api/users/me -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjMsImxvY2F0aW9uIjoiRnJhbmNlIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE2Njk0NDUzMDQsImV4cCI6MTY2OTUzMTcwNH0.mlShbJr6xG8TIOyY6B2gD0c-leoyw1T3Sr5EncTgl00" {"id":3,"username":"john","name":"John","location":"France"} ``` The user profiles can also be found in **data.js**. The goal of the article is to protect the `/api/posts` API route and the `/posts` page using the JWT authentication strategy. In part one, you saw how JWT authentication can be added to API routes using the `jwt.verify` method. However, it's resource intensive to manually verify and decode the JWT in every single API route. It's also tedious to manually include the authentication header in every request that you make from a page. In this article, you'll learn how to "share" an authenticated session across all pages by using an `AuthContext`. You'll also refactor the JWT verification to a `withAuth` wrapper that will make it easy to protect API routes. Finally, you'll see how using Clerk makes this process smooth and seamless. ## Implementing AuthContext `AuthContext` is simply a [React Context](https://reactjs.org/docs/context.html) that will make it easy to pass required authentication parameters throughout the app. To implement this, first install the required libraries: ```bash yarn add js-cookie axios ``` `js-cookie` will be used to store the JWT in the browser's cookie. `axios` makes it easy to preconfigure a default API service with headers. You'll use this to include the token in the headers once the user logs in. Create a file named **api.js** in the project root: ```javascript import Axios from 'axios' const api = Axios.create({ baseURL: 'http://localhost:3000', headers: { Accept: 'application/json', 'Content-Type': 'application/json', }, }) export default api ``` Here, an instance of `axios` is created that will be used to make API calls later. Create the file `auth_context.js`: ```javascript import React, { createContext, useState, useContext, useEffect } from 'react' import Cookies from 'js-cookie' import api from './api' import jwt from 'jsonwebtoken' const JWT_KEY = process.env.JWT_SECRET_KEY const AuthContext = createContext({}) export const AuthProvider = ({ children }) => { const [user, setUser] = useState(null) const [isLoading, setIsLoading] = useState(true) useEffect(() => { async function fetchUserFromCookie() { const token = Cookies.get('token') if (token) { api.defaults.headers.Authorization = `Bearer ${token}` const { data: user } = await api.get('api/users/me') if (user) setUser(user) } setIsLoading(false) } fetchUserFromCookie() }, []) const login = async (username, password) => { const { data: { token }, } = await api.post('api/auth/login', { username, password }) console.log('TOKEN ', token) if (token) { Cookies.set('token', token, { expires: 60 }) api.defaults.headers.Authorization = `Bearer ${token}` const { data: user } = await api.get('api/users/me') setUser(user) } } const logout = () => { Cookies.remove('token') setUser(null) delete api.defaults.headers.Authorization window.location.pathname = '/login' } return ( {children} ) } export const useAuth = () => useContext(AuthContext) ``` The most important bits in the above Context are the `fetchUserFromCookie`, `login`, and `logout` functions. The `fetchUserFromCookie` function fetches the token from the cookie and sets the `authorization` header in the default `api` instance. It then makes a call to `/api/users/me` to retrieve and store the authenticated user. The `login` function logs in the user through the `/api/auth/login` route and stores the token in the cookie. The `logout` function deletes the user, the cookie, and the `authorization` header. Finally, create the `withAuth` function that'll protect the API routes by wrapping the handlers: ```javascript export const withAuth = (handler) => { return (req, res) => { const { authorization } = req.headers if (!authorization) return res.status(401).json({ error: 'The authorization header is required' }) const token = authorization.split(' ')[1] jwt.verify(token, JWT_KEY, (err, payload) => { if (err) return res.status(401).json({ error: 'Unauthorized' }) req.auth = { user: payload } handler(req, res) }) } } ``` You can now modify `pages/api/posts.js` to include `withAuth`: ```javascript import { withAuth } from '../../auth_context' import { users, posts } from '../../data' export default withAuth((req, res) => { const { userId } = req.auth.user const userPosts = posts.filter((post) => { return post.userId == userId }) res.status(200).json(userPosts) }) ``` Note that only the posts by the logged in user are returned. The logged in user is found through `req.auth.user`. Let's now create the login page. First, add [Formik](https://formik.org) and [Yup](https://www.npmjs.com/package/yup). These are not strictly required but will help in creating the login form. ```bash yarn add formik yup ``` Create `pages/login.js`: ```javascript import React from 'react' import { Formik, ErrorMessage, Form, Field } from 'formik' import * as Yup from 'yup' import { useAuth } from '../auth_context' import { useRouter } from 'next/router' import api from '../api' const LoginForm = () => { const { login } = useAuth() const router = useRouter() return ( { try { await login(username, password) setSubmitting(false) router.push('/posts') } catch (error) { const formikErrors = { password: error.response.data.error } setErrors(formikErrors) setSubmitting(false) } }} > {({ isSubmitting }) => (


)} ) } export default LoginForm ``` This page uses the `login` function described above to log in the user. Now update `pages/posts.js` to make use of `AuthContext`: ```javascript import { useEffect, useState } from 'react' import api from '../api' import { useAuth } from '../auth_context' export default function Posts() { const [posts, setPosts] = useState(null) const { user, logout } = useAuth() console.log(user) useEffect(() => { async function fetchPosts() { const { data: postsList } = await api.get('api/posts') setPosts(postsList) console.log(postsList) } if (user) fetchPosts() }, [user]) return ( <> ) } ``` Finally, update `pages/_app.js` to wrap everything in `AuthProvider`: ```javascript import '../styles/globals.css' import { AuthProvider } from '../auth_context' function MyApp({ Component, pageProps }) { return ( ) } export default MyApp ``` Start the server with `yarn dev` and visit `http://localhost:3000/login`. Log in with the credentials (you can find the username in **data.js** and the password is "password") and you'll be redirected to the posts page. You can verify that you're only seeing posts from the logged in user. The final app for this section can be found in the `manual` branch of the [GitHub repo](https://github.com/heraldofsolace/NextJS-protected-routes-demo.git). ## Authentication with Clerk In this section, you'll replace the manual authentication with [Clerk](/). Before starting with Clerk, you should revert the changes you've made so far. You can simply run `git stash && git clean -fdx` to stash your changes. First, [create an application](/docs/authentication/set-up-your-application) in Clerk. You can keep all the default options. ![Creating an application in Clerk](./vvJUUtJ.png) Once the application is created, go to the **API keys** page and copy the frontend API key, the backend API key, and the JWT verification key. Paste these into `.env`: ``` NEXT_PUBLIC_CLERK_FRONTEND_API=your_frontend_api_key CLERK_API_KEY=your_backend_api_key CLERK_JWT_KEY=your_jwt_key ``` Install the required library: ```bash yarn add @clerk/nextjs ``` Wrap `pages/_app.js` with `Clerkprovider`: ```javascript import { ClerkProvider, SignedIn, SignedOut, RedirectToSignIn } from '@clerk/nextjs' import { useRouter } from 'next/router' const publicPages = ['/'] function MyApp({ Component, pageProps }) { const { pathname } = useRouter() const isPublicPage = publicPages.includes(pathname) return ( {isPublicPage ? ( ) : ( <> )} ) } export default MyApp ``` The `publicPages` array decides which pages will not be protected under authentication. For a protected page, if the user is not signed in, they will be redirected to the login page. Create the file **middleware.js** in the project route: ```javascript import { withClerkMiddleware } from '@clerk/nextjs/server' import { NextResponse } from 'next/server' export default withClerkMiddleware((req) => { return NextResponse.next() }) // Stop Middleware running on static files export const config = { matcher: '/((?!.*\\.).*)' } ``` Modify `pages/api/posts.js` to include the `getAuth` function that authenticates the user with Clerk: ```javascript import { posts } from '../../data' import { getAuth } from '@clerk/nextjs/server' export default function handler(req, res) { const { userId } = getAuth(req) const userPosts = posts.filter((post) => { return post.userId == userId }) res.status(200).json(userPosts) } ``` In the Clerk dashboard, go to the **Users** page and create a test user. ![Creating a new user](./qKmIBQi.png) After the user is created, open the record and copy the ID as shown below. ![Copying user ID](./a1f73gA.png) Open **data.js** and replace the numeric `id` field of any one user and the `userId` field in the `posts` array: ```javascript export const users = [ { id: 'user_2IUxt1YsiCfebtlUwOe5dU91Det', username: 'bob', name: 'Bob', location: 'USA', password: '$2y$10$mj1OMFvVmGAR4gEEXZGtA.R5wYWBZTis72hSXzpxEs.QoXT3ifKSq', }, // ... ] export const posts = [ { id: 1, userId: 'user_2IUxt1YsiCfebtlUwOe5dU91Det', text: 'Hello, World!', }, // ... { id: 3, userId: 'user_2IUxt1YsiCfebtlUwOe5dU91Det', text: 'Lorem ipsum dolor sit amet. ', }, // ... ] ``` Run the server again with `yarn dev`. Visit `http://localhost:3000/posts` and you should be redirected to Clerk's login page. ![Clerk's login page](./j8qJYJV.png) After logging in, you'll be redirected back to the `/posts` page. Verify that you can see only the posts corresponding to the logged in user. ![The posts page](./IYQC9tp.png) ## Conclusion Protecting Next.js routes with authentication is a vital part of developing any web app. However, manually creating authentication mechanisms can be tedious and time-consuming. A solution like Clerk’s [Next.js authentication](/nextjs-authentication) comes with all the bells and whistles so that you don't need to worry about auth and can focus on the core app instead. --- # Next.js 13 Routes Part 1: Getting Started with Next.js API Routes URL: https://clerk.com/blog/next13-api-routes-1.md Date: 2023-01-25 Category: Guides Description: API routes in Next.js provide a solution to build server-side API logic. An API route creates a server-side bundle separate from the client-side bundle. As is usual for Next.js pages, file-based routing is used to create API routes, where files inside `pages/api` are mapped to `/api/*` routes. Apart from building the backend logic, you can use API routes to run logic that depends on a secret you don't want to expose to the client—for example, connecting to a database through a database URL string. Since API routes are server-side only, you don't have to worry about exposing the database credentials to the client. You can also use API routes to mask external service URLs. For example, if you call `https://some-service/foo`, you can route it through an API route such as `/api/foo` to hide the actual URL used. In this article, you'll get hands-on experience in building API routes while learning about different types of API routes in Next.js. ## Implementing API Routes in Next.js To follow this tutorial, make sure you have [Node.js 14.6.0](https://nodejs.org) or newer. This article uses [Yarn](https://yarnpkg.com) as the package manager, but you can also use npm. If you'd like to see the code of the finished application, you can find it in this [GitHub repo](https://github.com/heraldofsolace/nextjs-api-demo). First, create a Next.js app: ```sh yarn create next-app ``` Once you're prompted, choose a name for your app—for example, `api-routes-demo`. Select **No** when asked if you want to use TypeScript. You can keep the default answers to all the other questions. After the app is created, move into the app directory. You can delete the **pages/api/hello.js** file that was created by default. To work with the app, you'll need some sample data. To keep things simple, you'll use a static data set, but in a real-world app, you'll likely use a database. Create the file **data.js** in the project root: ```jsx export const users = [ { id: 1, username: 'bob', name: 'Bob', location: 'USA', }, { id: 2, username: 'alice', name: 'Alice', location: 'Sweden', }, { id: 3, username: 'john', name: 'John', location: 'France', }, ] export const posts = [ { id: 1, userId: 1, text: 'Hello, World!', }, { id: 2, userId: 2, text: 'Hello, NextJS', }, { id: 3, userId: 1, text: 'Lorem ipsum dolor sit amet. ', }, { id: 4, userId: 3, text: 'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur ut rhoncus neque. Sed lacinia magna a mi tincidunt, ac interdum.', }, ] export const comments = [ { id: 1, postId: 1, userId: 2, text: 'Hi there!', }, { id: 2, postId: 1, userId: 3, text: 'Lorem ipsum', }, { id: 3, postId: 2, userId: 1, text: 'Nulla bibendum risus sed vestibulum lobortis. Fusce.', }, { id: 4, postId: 2, userId: 1, text: 'In ut nulla vitae dolor scelerisque lacinia. ', }, { id: 5, postId: 2, userId: 1, text: 'Praesent semper enim eu ligula rutrum finibus.', }, ] ``` ## Basics of API Routes The heart of the API routes is the pages/api directory. Any file in this directory is mapped to a route of the form `/api/*`. So, the file `pages/api/foo.js` will get mapped to `/api/foo`. To make the API route work, you'll need to export a default function from the file, as shown below: ```jsx export default function handler(req, res) {} ``` The function receives two arguments: - `req`: An instance of [http.IncomingMessage](https://nodejs.org/api/http.html#class-httpincomingmessage), with some [pre-built middleware](https://nextjs.org/docs/api-routes/request-helpers) - `res`: An instance of [http.ServerResponse](https://nodejs.org/api/http.html#class-httpserverresponse), with some [helper functions](https://nextjs.org/docs/api-routes/response-helpers) Before proceeding, keep these two things in mind: 1. Next.js 13 introduced a new [app directory](https://beta.nextjs.org/docs/routing/fundamentals#the-app-directory) that offers an improved routing system over the traditional `pages` directory. However, *API routes should still be [defined in the pages/api directory](https://beta.nextjs.org/docs/data-fetching/api-routes)*. As this article is being written, the Next.js team hasn't decided yet how API routes will look like in the `app` directory. So this article will use the usual `pages/api` directory structure, but keep in mind it may change in the future. 2. Next.js offers a beta version of [Edge API routes](https://nextjs.org/docs/api-routes/edge-api-routes), which use the [Edge Runtime](https://nextjs.org/docs/api-reference/edge-runtime). These API routes are often faster than their Node.js runtime counterparts but come with limitations such as not having access to native Node.js APIs. This article will not discuss Edge API routes and will only deal with standard API routes. ### Static Routes A static route is a fixed, predefined route that matches a single path verbatim. Next.js offers two equivalent ways of creating static routes. If you want a static route `/api/foo`, you can do one of the following: 1. Create the file **foo.js** in `pages/api`, or 2. Create the file **index.js** in a directory named `foo` in `pages/api` Even though both approaches are equivalent, the second approach is much easier to work with if you have nested or dynamic routes under that particular route, as you'll see later. Let's create two static routes—`/api/users` and `/api/posts`—and see both approaches in action. First, create a `users` directory in `pages/api` and create an **index.js** file in this directory with the following code: ```jsx import { users } from '../../../data' export default function handler(req, res) { res.status(200).json(users) } ``` As you can see, the `handler` function returns the list of users with a `200` status. You can test this route by sending a GET request to `localhost:3000/api/users`: ```sh $ curl [{"id":1,"username":"bob","name":"Bob","location":"USA"},{"id":2,"username":"alice","name":"Alice","location":"Sweden"},{"id":3,"username":"john","name":"John","location":"France"}] ``` You'll take the second approach for the `/api/posts` route. Create the file `posts.js` in `pages/api`: ```jsx import { posts } from '../../data' export default function handler(req, res) { res.status(200).json(posts) } ``` Similar to the previous route, this one returns the list of all posts. A similar `GET` request can be used to test this route: ```sh $ curl [{"id":1,"userId":1,"text":"Hello, World!"},{"id":2,"userId":2,"text":"Hello, NextJS"},{"id":3,"userId":1,"text":"Lorem ipsum dolor sit amet. "},{"id":4,"userId":3,"text":"Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur ut rhoncus neque. Sed lacinia magna a mi tincidunt, ac interdum."}] ``` It's possible to pass query parameters to routes such as `/api/foo?bar=baz`. These query parameters can be accessed in the handler function through the `req.query` object. Let's see this by passing a `limit` query parameter to the `/api/posts` route. Modify `posts.js` with the following code: ```jsx import { posts } from '../../data' export default function handler(req, res) { const { limit } = req.query res.status(200).json(posts.slice(0, limit)) } ``` Now you can pass the `limit` parameter to limit the number of results: ```sh $ curl "" [{"id":1,"userId":1,"text":"Hello, World!"},{"id":2,"userId":2,"text":"Hello, NextJS"}] ``` ### Dynamic Routes Fixed static routes may not be always enough for complex routing needs. For example, if you have multiple users, it's not convenient to set up individual static routes for each user, such as `/api/users/1`, `/api/users/2`, and so on. To solve this, you need to use dynamic routes, where one or more segments work as parameters that the user can pass. For example, a route like `/api/users/[id]` can match `/api/users/xxx`, where `xxx` can be any valid URL component. The actual parameter passed through the URL can be accessed by the name assigned in the route (`id` in this example), and the appropriate record can be fetched from the database. To create a dynamic segment, you need to add square brackets (`[ ]`) around the name of the file. For example, **pages/api/users/\[id].js** will be mapped to the route `/api/users/[id]`. Just like in the case of static routes, you can also create a directory named `[id]` and create **index.js** inside it. Both approaches are precisely equivalent. The parameter `id` can be accessed in the handler function through the `req.query` object: ```jsx const { id } = req.query ``` It's possible to have multiple dynamic segments by using a nested directory structure. For example, `pages/api/users/[id]/[postId].js` will be mapped to `/api/users/[id]/[postId]`, and both id and postId can be accessed via `req.query`: ```json { "id": "1", "param": "foo" } ``` Remember that a route parameter will override a query parameter with the same name. So in the route `/api/users/1?id=foo`, `req.query.id` will be `1` and not `foo`. Create a directory `[id]` in `pages/api/users` and create `index.js` inside it, which will map to the `/api/users/[id]` route. Write the following code in `index.js`: ```jsx import { users } from '../../../../data' export default function handler(req, res) { const { id } = req.query const user = users.find((user) => { return user.id == id }) if (typeof user !== 'undefined') return res.status(200).json(user) res.status(404).json({ error: 'Not found' }) } ``` This function finds the appropriate user from the array and returns it. If no user with the specified ID is found, a "Not found" error is returned instead. Test the route with the following request: ```sh $ curl {"id":3,"username":"john","name":"John","location":"France"} ``` ### Nested Routes It's possible to create nested routes in Next.js by simply nesting directories. A directory structure like `pages/api/foo/bar.js` or `pages/api/foo/bar/index.js` will be mapped to `/api/foo/bar`. Let's create a `posts` route under `/api/users/[id]`, which will return all posts by the specified user. Create the file `posts.js` in `pages/api/users/[id]` with the following code: ```jsx import { users, posts } from '../../../../data' export default function handler(req, res) { const { id } = req.query const user = users.find((user) => { return user.id == id }) if (typeof user === 'undefined') return res.status(404).json({ error: 'Not found' }) const userPosts = posts.filter((post) => { return post.userId == id }) res.status(200).json(userPosts) } ``` This function first finds the appropriate user and then filters the posts array to find posts with the particular `userId`. Test that it works correctly: ```sh $ curl [{"id":1,"userId":1,"text":"Hello, World!"},{"id":3,"userId":1,"text":"Lorem ipsum dolor sit amet. "}] ``` ### Catch-All Routes Catch-all routes are similar to dynamic routes, but whereas in a dynamic route, the dynamic segment matches only that particular part of the route, in a catch-all route, it matches all paths under that route. This can be created by adding three dots (`...`) inside the square brackets. So, a route like `/api/foo/[...bar]` will match `/api/foo/a`, `/api/foo/a/b`, `/api/foo/a/b/c`, and so on. However, it won't match `/api/foo`—i. e. , the path parameter cannot be omitted. If you'd like the path parameter to be optional, you can convert it to an optional catch-all route by using two square brackets (`[[ ]]`). So, `/api/foo/[[...bar]]` matches `/api/foo/a`, `/api/foo/a/b`, `/api/foo/a/b/c`, and so on, as well as `/api/foo`. The path parameters can be accessed through `req.query` as before, but in this case, it will be an array of one or more elements if parameters are passed or an empty object if the parameter is omitted. Let's create an optional catch-all route `/api/comments/[[...ids]]`, which will do the following: - Return all comments if no parameter is passed - Return all comments under post `xx` for a route like `/api/comments/xx` - Return all comments by user `yy` under post `xx` for a route like `/api/comments/xx/yy` Create the directory `comments` in `pages/api` and create the file **\[\[...ids]].js** inside: ```jsx import { users, posts, comments } from '../../../data' export default function handler(req, res) { const { ids } = req.query if (Array.isArray(ids)) { if (ids.length > 2) { return res.status(400).json({ error: 'There cannot be more than two parameters ' }) } if (ids.length === 1) { const postId = ids[0] const postComments = comments.filter((comment) => { return comment.postId == postId }) return res.status(200).json(postComments) } if (ids.length === 2) { const [postId, userId] = ids const postUserComments = comments.filter((comment) => { return comment.postId == postId && comment.userId == userId }) return res.status(200).json(postUserComments) } } return res.status(200).json(comments) } ``` You can test this route with zero or more parameters: ```sh $ curl # Returns all comments [{"id":1,"postId":1,"userId":2,"text":"Hi there!"},{"id":2,"postId":1,"userId":3,"text":"Lorem ipsum"},{"id":3,"postId":2,"userId":1,"text":"Nulla bibendum risus sed vestibulum lobortis. Fusce."},{"id":4,"postId":2,"userId":1,"text":"In ut nulla vitae dolor scelerisque lacinia. "},{"id":5,"postId":2,"userId":1,"text":"Praesent semper enim eu ligula rutrum finibus."}] $ curl # All comments of post 1 [{"id":1,"postId":1,"userId":2,"text":"Hi there!"},{"id":2,"postId":1,"userId":3,"text":"Lorem ipsum"}] $ curl # All comments of post 1 and user 2 [{"id":1,"postId":1,"userId":2,"text":"Hi there!"}] ``` ## Adding JWT Authentication If you're working on a project where your API routes should be kept private, you'll need to protect them from unauthorized access. [JWT authentication](https://jwt.io/introduction) is one of the most commonly used authentication mechanisms for securing APIs. You'll now add JWT authentication to the `/api/users` route so that the users need to log in before accessing that route. First, stop the server if it's running. Install the required dependencies with `yarn add bcryptjs jsonwebtoken`. The `bcrypt` library is used to hash and compare the passwords, and the `jsonwebtoken` library is used to create and verify the JWT. Create an ENV file with the following content: ```sh JWT_SECRET_KEY = mysecret ``` This key will be used to sign the JWT, so in an actual application, this should be a random string and kept secret. Next, open `data.js` and add a `password` key to all the users. For simplicity, add the same password to all the users: ``` password: '$2y$10$mj1OMFvVmGAR4gEEXZGtA.R5wYWBZTis72hSXzpxEs.QoXT3ifKSq' // Add this key to all users ``` The value in quotes is the hashed version of the string "password". Next, create `auth.js` inside `pages/api`. This file will log the user in and generate the token. Start with the necessary imports: ```jsx import { users } from '../../data' import bcrypt from 'bcryptjs' import jwt from 'jsonwebtoken' const JWT_KEY = process.env.JWT_SECRET_KEY ``` Ensure that only the `POST` method is allowed: ```jsx // ... export default async function handler(req, res) { if (req.method !== 'POST') return res.status(405).json({ error: 'Method not allowed' }) } ``` The next step is to extract the username and password from the body and ensure that a user with the username exists: ```jsx const { username, password } = req.body if (!username || !password) return res.status(400).json({ error: 'Username and password are required' }) const user = users.find((user) => { return user.username === username }) if (!user) return res.status(404).json({ error: 'User not found ' }) ``` Then, use `bcrypt` to compare the password in the request with the actual password: ```jsx const { password: userPassword, id, location, name } = user const match = await bcrypt.compare(password, userPassword) if (!match) return res.status(401).json({ error: 'Wrong password' }) ``` If the passwords are a match, sign and send the JWT: ```jsx const payload = { userId: id, location, name } jwt.sign(payload, JWT_KEY, { expiresIn: 24 * 3600 }, (err, token) => { res.status(200).json({ token }) }) ``` The entire file should look like this: ```jsx import { users } from '../../data' import bcrypt from 'bcryptjs' import jwt from 'jsonwebtoken' const JWT_KEY = process.env.JWT_SECRET_KEY export default async function handler(req, res) { if (req.method !== 'POST') return res.status(405).json({ error: 'Method not allowed' }) const { username, password } = req.body if (!username || !password) return res.status(400).json({ error: 'Username and password are required' }) const user = users.find((user) => { return user.username === username }) if (!user) return res.status(404).json({ error: 'User not found ' }) const { password: userPassword, id, location, name } = user const match = await bcrypt.compare(password, userPassword) if (!match) return res.status(401).json({ error: 'Wrong password' }) const payload = { userId: id, location, name } jwt.sign(payload, JWT_KEY, { expiresIn: 24 * 3600 }, (err, token) => { res.status(200).json({ token }) }) } ``` Let's test this route. Start the server with yarn dev and send a request to `localhost:3000/api/auth`: ```sh $ curl -X POST "" -d '{"username": "bob", "password": "password"}' -H 'Content-Type: application/json' {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsImxvY2F0aW9uIjoiVVNBIiwibmFtZSI6IkJvYiIsImlhdCI6MTY2OTEwMDI3OCwiZXhwIjoxNjY5MTg2Njc4fQ.0EFxEtqR2-rZij-PqD66bWatC_kiMl6QDpNlaqyjaLQ"} ``` Note that you'll likely get a different token. You can now use this token to check the authenticity of the user. Let's protect the `/api/users` route with JWT. Replace the content in **pages/api/users/index.js** with the following: ```jsx import { users } from '../../../data' import jwt from 'jsonwebtoken' const JWT_KEY = process.env.JWT_SECRET_KEY export default function handler(req, res) { const { authorization } = req.headers if (!authorization) return res.status(401).json({ error: 'The authorization header is required' }) const token = authorization.split(' ')[1] jwt.verify(token, JWT_KEY, (err, payload) => { if (err) return res.status(401).json({ error: 'Unauthorized' }) return res.status(200).json( users.map((user) => { return { ...user, password: '' } }), ) }) } ``` The above code checks the `Authorization` header for the JWT. If a token is passed, the `jwt.verify` function is invoked to check the token's authenticity. Once authenticated, the data is returned (with the password field stripped from the users—you wouldn't want to expose the passwords, would you?). Test this route by passing the `Authorization` header to the request: ```sh $ curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsImxvY2F0aW9uIjoiVVNBIiwibmFtZSI6IkJvYiIsImlhdCI6MTY2OTEwMDI3OCwiZXhwIjoxNjY5MTg2Njc4fQ.0EFxEtqR2-rZij-PqD66bWatC_kiMl6QDpNlaqyjaLQ" # Replace with your token [{"id":1,"username":"bob","name":"Bob","location":"USA","password":""},{"id":2,"username":"alice","name":"Alice","location":"Sweden","password":""},{"id":3,"username":"john","name":"John","location":"France","password":""}] ``` An invalid token will raise the following error: ```sh $ curl -H "Authorization: Bearer: invalid" {"error":"Unauthorized"} ``` As you can see, adding JWT authentication to API routes is an involved process that can be complicated. Using something like Clerk’s [Next.js authentication solution](/nextjs-authentication) makes the process much easier since it does the heavy lifting of authentication, taking the task off your plate. With Clerk, authentication is as simple as importing the `getAuth` function: ```jsx import { getAuth } from '@clerk/nextjs/server' ``` Calling it inside the handler function is also easy, which will automatically authenticate the user and return the user ID: ```jsx const { userId } = getAuth(req) ``` You'll learn more about authentication with Clerk in part two of this series. ## Conclusion Next.js API routes offer extreme flexibility in keeping your server-side logic close to the frontend and creating an API application. With the many different types of API routes available, it's critical to implement proper authentication to protect the routes from bad actors. However, adding authentication can be a complex and daunting task. This is why solutions like [Clerk](/) exist to make it as easy and seamless as possible. --- # Clerk and Create T3 Turbo URL: https://clerk.com/blog/clerk-t3-turbo.md Date: 2022-12-28 Category: Guides Description: This guide shows you how to integrate Clerk into T3-Turbo so you can have user management for everyone. T3-Turbo is one of the easiest ways to get both Type safety while using Next.js and Expo. The biggest missing feature is the ability to share authentication between your applications. This guide shows you how to integrate Clerk into T3-Turbo so you can have user management for everyone. > For comprehensive Expo authentication without the T3 stack, [learn more about our Expo support](/expo-authentication). If you don’t want to do this manually, use the [starter repo](https://github.com/clerkinc/t3-turbo-and-clerk). It is open source and free. ## Assumptions There are a few assumptions here when working through this guide. - You understand TRPC and its functionality. - You are familiar with Expo. - You have a working knowledge of Turborepo ## Setup ### Create your free Clerk account You need a free Clerk account to use everything in this guide, so head to [https://dashboard.clerk.com](https://dashboard.clerk.com) and sign up for your free account. ### Create a new application in the dashboard You will need to create a new application, name it and select Discord as a social sign-in. If you change any setting here, you may need to update your Expo code to handle any requirements you change. ![Clerk T3 Turbo guide illustration](./033608f71ab9631e79b9c3569e92bb808e6dc213-3918x1924.png) ### ![Clerk T3 Turbo guide illustration](./c00fd14484c9b3f888f03d00f543923351f66a34-3920x2244.png) ### Update .env to use your keys Under the dashboard, you will need your API keys and create a copy of the `.env.example` as `.env` ![Clerk T3 Turbo guide illustration](./f244212d6116858dbef13ee31ecf14af91fd759e-3914x2182.png) ## Adding global env to Turbo We want to have our env available in many parts of our application. You can add the following to our `turbo.json` . ```json {{ prettier: false }} "globalEnv": [ "DATABASE_URL", "NEXT_PUBLIC_CLERK_FRONTEND_API", "CLERK_API_KEY", "CLERK_JWT_KEY" ] ``` ### Update Next.js package.json We need to be able to access the .env when working in development, so replace the dev script with the following: ```json {{ prettier: false }} "with-env": "dotenv -e ../../.env --", "dev": "pnpm with-env next dev", ``` ## ## Updating our Next.js application First, we will work on our Next.js application, whose only change is [adding Clerk](/nextjs-authentication), so we have powerful user authentication. ### Install ```bash pnpm install @clerk/nextjs --filter @acme/nextjs ``` Now that the Clerk package has been installed in our Next.js application, we need to wrap our application in the ``, which gives us access to the authentication state throughout our application. Open up your `_app.tsx` file and modify the code. ```tsx import '../styles/globals.css' import type { AppType } from 'next/app' import { ClerkProvider } from '@clerk/nextjs' import { trpc } from '../utils/trpc' const MyApp: AppType = ({ Component, pageProps: { ...pageProps } }) => { return ( ) } export default trpc.withTRPC(MyApp) ``` ## Add Middleware.ts Clerk uses Next.js middleware to allow your application to keep track of authentication behind the scenes. ```tsx import { withClerkMiddleware } from '@clerk/nextjs/server' import { NextResponse } from 'next/server' import type { NextRequest } from 'next/server' export default withClerkMiddleware((_req: NextRequest) => { return NextResponse.next() }) // Stop Middleware running on static files export const config = { matcher: [ /* * Match request paths except for the ones starting with: * - _next * - static (static files) * - favicon.ico (favicon file) * * This includes images, and requests from TRPC. */ '/(.*?trpc.*?|(?!static|.*\\..*|_next|favicon.ico).*)', ], } ``` You will notice the matcher at the bottom, which ensures that middleware doesn’t run on every request. This will scope it to TRPC + API routes leaving your images and static files alone. ## Embedding our UI components Clerk provides highly customizable components from Sign-up to Organization management. They require zero form creation or state management, making them easy to implement. Each component will use the [Next.js optional catch all route](https://nextjs.org/docs/routing/dynamic-routes#optional-catch-all-routes). This allows you to redirect the user inside your application using OAuth providers. ### Sign in ```jsx import { SignIn } from '@clerk/nextjs' const SignInPage = () => (

Sign In

) export default SignInPage ``` ### Sign up ```jsx import { SignUp } from '@clerk/nextjs' const SignUpPage = () => (

Sign In

) export default SignUpPage ``` ### Updating index.tsx The final step for Next.js is to update our `index.tsx` to use Clerk. Once we update this page, users will have a way to sign in, sign out and see data from TRPC in the future. We need to import a prebuilt component from Clerk and a hook that allow us to access the current auth state. `import { useAuth, UserButton } from "@clerk/nextjs";` ### What is useAuth? The `useAuth` hook is a convenient way to access the current auth state. This hook provides the minimal information needed for data-loading, such as the user id and helper methods to manage the current active session. ### What is UserButton? Initially popularized by Google, users have come to expect that little photo of themselves in the top-right of the page – it’s the access point to manage their account, switch accounts, or sign out. The `` component renders this familiar user button UI. It renders a clickable user avatar - when clicked, the full UI opens as a popup. Here is an example ![Clerk T3 Turbo guide illustration](./12da04075590eb1282144bf1b8ede1a59a634988-942x1052.png) ### Updating AuthShowcase The `AuthShowCase` component in the `index.tsx` file needs to be updated to use the `useAuth()` hook, allow the user to sign in, and show our UserButton if the user is signed in. ```tsx {{ prettier: false }} const AuthShowcase: React.FC = () => { const { isSignedIn } = useAuth() ``` Now we can update our secret message from `{ enabled: !!session?.user }` to `{ enabled: isSignedIn }` ```tsx {{ prettier: false }} const AuthShowcase: React.FC = () => { const { isSignedIn } = useAuth() const { data: secretMessage } = trpc.auth.getSecretMessage.useQuery( undefined, { enabled: isSignedIn }, ) ``` Now the final change is to use `isSignedIn` in our return statement to conditionally show the secret message and UserButton component or show a sign-in link. We can do that by replacing `{session?.user && (` with `isSignedIn` and underneath, providing the false statement using `!isSignedIn` this is where we can place a Link to our mounted `/sign-in page`. ```jsx { isSignedIn && ( <>

{secretMessage && ( {' '} {secretMessage} click the user button!
)}

) } ``` The `UserButton` component allows users to manage their accounts, including signing out or updating their profile and password or linking a new account through OAuth providers. I added some customization to make the UserButton larger. To learn more about customization, go to our documentation where we explain how to use the [appearance prop](/docs/component-customization/appearance-prop) The final step is to add a login text that pushes the user to the mounted sign-in page. ```jsx { !isSignedIn && (

Sign In

) } ``` Below is the final AuthShowcase. ```tsx const AuthShowcase: React.FC = () => { const { isSignedIn } = useAuth() const { data: secretMessage } = trpc.auth.getSecretMessage.useQuery(undefined, { enabled: !!isSignedIn, }) return (
{isSignedIn && ( <>

{secretMessage && ( {' '} {secretMessage} click the user button!
)}

)} {!isSignedIn && (

Sign In

)}
) } ``` Now that the Next.js work is done, we should update our TRPC API to use Clerk instead of NextAuth, so we can test this work and get ready to update Expo. ## Updating API package to use Clerk Currently, the API package has TRPC context, and middleware uses Auth.js (previously NextAuth). We can replace this with Clerk so we can use it both with Expo and Next.js. You can delete the Auth package in the packages folder completely and update the Prisma schema to remove the user data. None of this is needed to use Clerk makes sure you remove any references if you do this ### Updating TRPC context The context is found at `packages/api/src/context.ts`. In this package, we will add the ability to detect the user being signed in and retrieve the full User object. First, we must remove the auth package import and add `getAuth` , `clerkClient`, `SignedInAuthObject` and `SignedOutAuthObject` as a type. ```tsx {{ del: [1], ins: [2, 3] }} import { getServerSession, type Session } from '@acme/auth' import { getAuth } from '@clerk/nextjs/server' import type { SignedInAuthObject, SignedOutAuthObject } from '@clerk/nextjs/api' ``` ### What is `getAuth` ? The `getAuth()` helper retrieves the authentication state and can be used anywhere within a next.js server. It provides information needed for data-loading, such as the user id and can be used to protect your API routes. ### Updating `createContext` function For the `createContext` function, we want to pass around the user object anywhere in our application. For this, we can create an async function called `getUser` that retrieves the `userId` and subsequently retrieves the user data. ```tsx export const createContext = async (opts: CreateNextContextOptions) => { return await createContextInner({ auth: getAuth(opts.req) }) } ``` Now we can retrieve a user, and if not, we will return `null` we can pass this to our `createContextInner` in case you need it for testing without a request object. ```tsx type AuthContextProps = { auth: SignedInAuthObject | SignedOutAuthObject } /** Use this helper for: * - testing, where we dont have to Mock Next.js' req/res * - trpc's `createSSGHelpers` where we don't have req/res * @see https://beta.create.t3.gg/en/usage/trpc#-servertrpccontextts */ export const createContextInner = async ({ auth }: AuthContextProps) => { return { auth, prisma, } } ``` ## Updating TRPC middleware The TRPC middleware found in `/packages/api/src/trpc.ts` needs a small update to the `isAuthed` function. The if statement becomes `!ctx.auth.userId`, and the return becomes `auth: ctx.auth` ```tsx import { initTRPC, TRPCError } from '@trpc/server' import { type Context } from './context' import superjson from 'superjson' const t = initTRPC.context().create({ transformer: superjson, errorFormatter({ shape }) { return shape }, }) const isAuthed = t.middleware(({ next, ctx }) => { if (!ctx.auth.userId) { throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Not authenticated' }) } return next({ ctx: { auth: ctx.auth, }, }) }) export const router = t.router export const publicProcedure = t.procedure export const protectedProcedure = t.procedure.use(isAuthed) ``` Our Next.js application can be tested with TRPC, including the secret message that uses protected routes. Give it a test. ## Updating our Expo application The Expo application currently doesn’t support authentication; the good news is Clerk supports Expo with our `@clerk/expo` package. ### Install `@clerk/expo` package and secure-store `pnpm install @clerk/clerk-expo expo-secure-store --filter @acme/expo` ### Create a Token Cache We need a token cache here, which is why we installed `expo-secure-store` that allows you to store key pair values on the device. Create a new file under `/src/utils/` named `cache.ts` and paste in the following code: ```tsx import * as SecureStore from 'expo-secure-store' import { Platform } from 'react-native' export async function saveToken(key: string, value: string) { // console.log("Save token", key, value); await SecureStore.setItemAsync(key, value) } export async function getToken(key: string) { const value = await SecureStore.getItemAsync(key) return value } // SecureStore is not supported on the web // https://github.com/expo/expo/issues/7744#issuecomment-611093485 export const tokenCache = Platform.OS !== 'web' ? { getToken, saveToken, } : undefined ``` I won’t explain this code above as it’s an expo-specific package, but this allows us to store the JWT securely and not in memory. ### Add `` Similar to our Next.js application, we need to wrap up our `_app.tsx` in the `` to allow access to auth state anywhere in the application. What is different here is we need use our newly created `TokenCache`, and we need to provide the Clerk frontend API directly to the `` ```jsx import { StatusBar } from 'expo-status-bar' import React from 'react' import { SafeAreaProvider } from 'react-native-safe-area-context' import { TRPCProvider } from './utils/trpc' import { HomeScreen } from './screens/home' import { ClerkProvider } from '@clerk/clerk-expo' import { tokenCache } from './utils/cache' // Find this in your Dashboard. const clerk_frontend_api = 'FRONT_END_API' export const App = () => { return ( ) } ``` ### Protecting pages Our Expo package provides an easy way to gate content using `SignedIn` and `SignedOut`, which will gate the content depending on the user's current state. ```jsx import { StatusBar } from 'expo-status-bar' import React from 'react' import { SafeAreaProvider } from 'react-native-safe-area-context' import { TRPCProvider } from './utils/trpc' import { HomeScreen } from './screens/home' import { ClerkProvider, SignedIn, SignedOut } from '@clerk/clerk-expo' import { tokenCache } from './utils/cache' // Find this in your Dashboard. const clerk_frontend_api = 'FRONT_END_API' export const App = () => { return ( ) } ``` ## Implementing a way to sign in. With Clerk Expo, you must implement your pages to sign in or sign up as a user. We will use Discord, but you can use any social or standard sign-in you want. First, we need to install `expo-auth-session` to handle sessions. `pnpm install expo-auth-sessions --filter @acme/expo` ### Creating a Sign In component Create a folder called `components` and then create a file called `SignInWithOAuth.tsx`. This will be our component that you can easily extend to use more providers or swap out Discord for something else. ```jsx import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() } ``` Here we are using another helper, which allows you to sign in as a user and set the session after the fact. We need to make sure Clerk is fully loaded before we attempt a sign in so we can use the `isLoaded` as part of the `useSignIn` helper. ```jsx import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null } ``` Now we need to create our function that will run when a user taps the button to sign in: ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { ``` Next we need to tell where to redirect to after a successful or unsuccessful login attempt via Discord,`expo-auth-session` provides a helper to make a redirect, which is called `makeRedirectUri`, and set it to `/oauth-native-callback` ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { const redirectUrl = AuthSession.makeRedirectUri({ path: '/oauth-native-callback', }) ``` At this point, we can start our sign in attempt using `signIn.create` passing in our strategy, which is `oauth_discord`, and our newly created `redirectUrl` ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { const redirectUrl = AuthSession.makeRedirectUri({ path: '/oauth-native-callback', }) await signIn.create({ strategy: 'oauth_discord', redirectUrl, }) ``` The `SignIn` object holds all the state of the current sign in and provides helper methods to navigate and complete the sign in process. You can read about this in our [documentation](/docs/reference/clerkjs/signin), as you may want to use the different sign in methods in the future. The next part of the sign in is to retrieve the external redirect URL and use AuthSession. This will give us the ability to know if the OAuth was successful or not. ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { const redirectUrl = AuthSession.makeRedirectUri({ path: '/oauth-native-callback', }) await signIn.create({ strategy: 'oauth_discord', redirectUrl, }) const { firstFactorVerification: { externalVerificationRedirectURL }, } = signIn const result = await AuthSession.startAsync({ authUrl: externalVerificationRedirectURL?.toString() || '', returnUrl: redirectUrl, }) // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore const { type, params } = result || {} if (type !== 'success') { throw 'Something went wrong during the OAuth flow. Try again.' } ``` You may notice that we have an eslint to disable the checks on the next line. There is an assumption in this example that it will always be successful, but you can use the following [AuthSession](https://docs.expo.dev/versions/latest/sdk/auth-session/#returns-7) documentation to implement anything you may want to handle. We now need to retrieve `rotatingTokenNonce` and reload our `signIn` object. This will allow us to get the `sessionId` and sign the user in. ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { const redirectUrl = AuthSession.makeRedirectUri({ path: '/oauth-native-callback', }) await signIn.create({ strategy: 'oauth_discord', redirectUrl, }) const { firstFactorVerification: { externalVerificationRedirectURL }, } = signIn const result = await AuthSession.startAsync({ authUrl: externalVerificationRedirectURL.toString(), returnUrl: redirectUrl, }) // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore const { type, params } = result || {} console.log if (type !== 'success') { throw 'Something went wrong during the OAuth flow. Try again.' } // Get the rotatingTokenNonce from the redirect URL parameters const { rotating_token_nonce: rotatingTokenNonce } = params await signIn.reload({ rotatingTokenNonce }) ``` Finally we can retrieve the `createdSessionId` from the `signIn` object and set that to our current session. This will let us know that the user is signed in with a valid session. ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { const redirectUrl = AuthSession.makeRedirectUri({ path: '/oauth-native-callback', }) await signIn.create({ strategy: 'oauth_discord', redirectUrl, }) const { firstFactorVerification: { externalVerificationRedirectURL }, } = signIn const result = await AuthSession.startAsync({ authUrl: externalVerificationRedirectURL?.toString() || '', returnUrl: redirectUrl, }) // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore const { type, params } = result || {} if (type !== 'success') { throw 'Something went wrong during the OAuth flow. Try again.' } // Get the rotatingTokenNonce from the redirect URL parameters const { rotating_token_nonce: rotatingTokenNonce } = params await signIn.reload({ rotatingTokenNonce }) const { createdSessionId } = signIn if (!createdSessionId) { throw 'Something went wrong during the Sign in OAuth flow. Please ensure that all sign in requirements are met.' } await setSession(createdSessionId) return } ``` Finally we can add a catch for anything that might go wrong that we aren’t handling and return the error. ```jsx {{ prettier: false }} import { useSignIn } from '@clerk/clerk-expo' import React from 'react' import { Button, View } from 'react-native' import * as AuthSession from 'expo-auth-session' const SignInWithOAuth = () => { const { isLoaded, signIn, setSession } = useSignIn() if (!isLoaded) return null const handleSignInWithDiscordPress = async () => { try { const redirectUrl = AuthSession.makeRedirectUri({ path: '/oauth-native-callback', }) await signIn.create({ strategy: 'oauth_discord', redirectUrl, }) const { firstFactorVerification: { externalVerificationRedirectURL }, } = signIn const result = await AuthSession.startAsync({ authUrl: externalVerificationRedirectURL?.toString() || '', returnUrl: redirectUrl, }) // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore const { type, params } = result || {} if (type !== 'success') { throw 'Something went wrong during the OAuth flow. Try again.' } // Get the rotatingTokenNonce from the redirect URL parameters const { rotating_token_nonce: rotatingTokenNonce } = params await signIn.reload({ rotatingTokenNonce }) const { createdSessionId } = signIn if (!createdSessionId) { throw 'Something went wrong during the Sign in OAuth flow. Please ensure that all sign in requirements are met.' } await setSession(createdSessionId) return } catch (err) { console.log(JSON.stringify(err, null, 2)) console.log('error signing in', err) } } ``` Our sign in method is now complete, so we can create a simple UI that, on touch, will attempt a sign in. ```jsx return (